[Feature Request]: Have tls server name (sni) set for outbound https connections

Question

[Feature Request]: Have tls server name (sni) set for outbound https connections

ceastman-r7 opened this issue 2 years ago · 6 comments

Describe why this change is needed

In an Istio enabled environment when egress filtering is enabled, Istio uses the hostname / sni to do egress hostname matching.

If there is no tls server name / sni then Istio can't match the oubound tcp port 443 connection so it would block it.

Describe solutions and alternatives considered (optional)

Istio sidecar resource can allow all but that defeats the purpose of having Istio perform egress filtering.

Is there anything else you would like to add?

No response

Answer 1 · 2022-06-27T17:55:29.000Z

Thank you for submitting the feature request to AWS Private CA Issue plugin. We will review the request and get back to you.

Answer 2 · 2022-06-27T20:35:42.000Z

We would like to have some further clarification. Is this referring to the requests from the plugin -> acm-pca?

Answer 3 · 2022-06-27T21:46:53.000Z

This is for outgoing https requests from the aws-acm-pca-aws-privateca-issuer pod to external endpoints. Currently Istio just sees outbound tcp connections on port 443 but since tls server name / sni is not set Istio can't tell what hostname the connection is for.

Answer 4 · 2022-06-27T21:49:23.000Z

For instance:

Answer 5 · 2022-06-27T22:08:44.000Z

Thank you for the clarification. We will review the information and get back to you.

Answer 6 · 2022-07-05T19:43:59.000Z

Hi @ceastman-r7 . We have placed this change in our priority queue, thank you for the suggestion.